Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET)

1) Introduction

Software vulnerabilities and exploits have to be faced by computer users as they are exposed to threats on the Internet. Virtually, every software product has to deal with them and consequently, users are faced with a large stream of security updates. For users who are attacked before obtaining the latest updates or before an update is even available, the results can be devastating; malware infection, loss of personal information and etc.

The enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system by utilizing few techniques on thwarting exploitation technologies or techniques.

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a user's computer. EMET allows users to manage these technologies on their system while providing several unique benefits:

1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.

2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.

3. Helps harden legacy applications: It's not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk, as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.

4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.

5. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready.

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques. [1]

This article will describe how end-user can utilize EMET to reduce or prevent from successful exploitation process. However, there is no guarantee the EMET application will prevent from new techniques on bypassing it protection.

2) Download and install

Begin by downloading EMET and install it using an account that has administrator privileges. EMET can be obtained from Microsoft's official website [2].

Microsoft digitally signs the installer; however, below are the hashes for the version 2.0.0.3 published on 18/11/2010:

MD5: 82b42f70eb45bcffab6ea4f62ae8b6a6
SHA1: 58c3d1a3caddf71a7074960416bb91e39d7988d2

The installation is very straightforward; you have the option of installing EMET for yourself or for anyone using the computer. Once installed, launch EMET by clicking on:

Start > All Programs > Enhanced Mitigation Experience Toolkit > EMET 2.0

3) Configuring EMET

To properly use EMET, it needs to be configured. Below is the step-by-step for configuring EMET for applications.

Launch EMET and click on Configure System as shown in Figure 1


Figure 1

Change the System Configuration to Maximum Security Settings as in Figure 2. This will set DEP to Always On. DEP is Data Execution Prevention, which is one of the exploitation process mitigation technique developed by Microsoft. It's recommended to enable DEP feature. Please read MyCERT's article on configuring DEP on Windows OS.


Figure 2

Click on Configure Apps to add protection for specific applications that you have installed as shown in Figure 3.


Figure 3

Click on the Add button for each application you wish to add protection for as shown in Figure 4. You will then browse to the executable file in the Programs folder to select it as in Figure 5. MyCERT recommend users to enable protection on daily basis applications such as browsers, office suite, multimedia players and communication suite.


Figure 4


Figure 5

Depending on the software applications installed on your computer, here are some suggestions for applications that would benefit from having additional protections enabled [3][4]:

  • Web browsers installed on your computer (Internet Explorer, Firefox, Chrome, Opera, Safari)
  • Microsoft Office suite (Access, Excel, Outlook, Power Point, Word)
  • Sun (now Oracle) Java
  • Media player (Windows Media Player, VLC, iTunes, RealPlayer, QuickTime, Winamp)
  • Any software that waits and listens for a network connection (FTP server, Web server)
  • PDF reader (Adobe Reader, Adobe Acrobat, Foxit Reader)
  • Email client application (Outlook, Thunderbird)
  • Instant messenger (Yahoo Messenger, Live Messenger, Gtalk, Skype, AIM, AOL, ICQ)
  • Any software application that Secunia PSI (http://secunia.com/vulnerability_scanning/personal) reports as being "End of Life"

Once done, click on OK as in Figure 6.


Figure 6

Close EMET and a popup will appear asking you to restart you computer as shown in Figure 7. Restart you computer.


Figure 7

4) Troubleshooting Incompatible Applications


Figure 8 DEP error message

Sometimes a benign application will trigger DEP simply due to faulty coding. We often see this on older applications or things like shareware. It is usually not on purpose and never caused a problem in the old days, but now that security is paramount, inefficient (and sometimes sloppy!) memory management can cause some serious issues. Of course the solution for this is to get the application's vendor to fix the problem triggering the DEP, but that would likely not happen for old versions of applications or shareware applications. In this case, you can exempt the application from DEP monitoring so that DEP ignores it. As long as you trust the application in question and know it is not really doing anything malicious, exempting it from DEP should not be a problem. [5]

Follow the following steps to add exception on a trusted incompatible application:

  • Go back to EMET's System Configuration by clicking on "Configure System" and change the Profile Name into
  • Recommended Security Settings.
  • Exit EMET and restart your computer.
  • Right click on My Computer and choose Properties as in Figure 9.


    Figure 9 Opening system properties

  • Click on the Advanced tab and under the Performance section, click on Settings as in Figure 10.


    Figure 10

  • Go to Data Execution Prevention tab, click on "Turn on DEP for all programs and services except those I select", and click on Add as in Figure 11. Browse and choose the incompatible application, and click ok.


    Figure 11

  • Make sure the application that you have selected appears and is selected as shown in Figure 12. Click on Apply and OK.


    Figure 12

  • Restart you computer.

A helpful User Guide for you reference can be obtained from Microsoft TechNet Blogs [6].

Having the applications running with EMET support in the "Configure Apps", will force the applications to run with Permanent DEP enabled, which could still protect your applications even tough they are being listed in the DEP exclusion list.


Figure 13 Without EMET support: DEP enabled, and application listed in DEP exclusion list.


Figure 14 With EMET support: DEP enabled, and application listed in DEP exclusion list.

References

1. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04&pf=true#Overview
2. http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0x409
3. http://www.rationallyparanoid.com/articles/microsoft-emet-2.html
4. http://securehomenetwork.blogspot.com/2010/10/use-emet-on-windows-machines.html
5. http://blogs.technet.com/b/askperf/archive/2008/06/17/to-dep-or-not-to-dep.aspx
6. http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdf
7. http://www.mydigitallife.info/2010/09/20/enhanced-mitigation-experience-toolkit-emet-anti-exploit-free-download/